Exam:CCFH-202
Title:
https://www.passcert.com/CCFH-202.html
1.Whichofthefollowingisasuspiciousprocessbehavior?
APowerShellrunninganexecutionpolicyofRemoteSigned
B.AnInternetbrowser(eg,InternetExplorer)performingmultipleDNSrequests
CPowerShelllaunchingaPowerShellscript
DNon-networkprocesses(eg,notepadexe)makinganoutboundnetworkconnection
Answer:D
Explanation:
Non-networkprocessesareprocessesthatarenotexpectedtocommunicateoverthenetwork,suchas notepadexeIftheymakeanoutboundnetworkconnection,itcouldindicatethattheyarecompromised ormaliciouslyusedbyanadversaryPowerShellrunninganexecutionpolicyofRemoteSignedisa defaultsettingthatallowslocalscriptstorunwithoutdigitalsignaturesAnInternetbrowserperforming multipleDNSrequestsisanormalbehaviorforwebbrowsing.PowerShelllaunchingaPowerShellscript isalsoacommonbehaviorforlegitimatetasks
Reference:
https://wwwcrowdstrikecom/blog/tech-center/detect-malicious-use-of-non-network-processes/
2Whichfieldshouldyoureferenceinordertofindthesystemtimeofa*FileWrittenevent?
A.ContextTimeStampdecimal
BFileTimeStampdecimal
CProcessStartTimedecimal
Dtimestamp
Answer:A
Explanation:
ContextTimeStampdecimalisthefieldthatshowsthesystemtimeoftheeventthattriggeredthesensor tosenddatatothecloudInthiscase,itwouldbethetimewhenthefilewaswritten
FileTimeStampdecimalisthefieldthatshowsthelastmodifiedtimeofthefile,whichmaynotbethe sameasthetimewhenthefilewaswrittenProcessStartTimedecimalisthefieldthatshowsthestart timeoftheprocessthatperformedthefilewriteoperation,whichmaynotbethesameasthetimewhen thefilewaswritten.Timestampisthefieldthatshowsthetimewhenthesensordatawasreceivedbythe cloud,whichmaynotbethesameasthetimewhenthefilewaswritten
Reference:
https://wwwcrowdstrikecom/blog/tech-center/understanding-timestamps-in-crowdstrike-falcon/
3WhatSearchpagewouldhelpathreathunterdifferentiatetesting,DevOPs,orgeneraluseractivity fromadversarybehavior?
AHashSearch
BIPSearch
CDomainSearch
DUserSearch
Answer:D
Explanation:
UserSearchisasearchpagethatallowsathreathuntertosearchforuseractivityacrossendpointsand correlateitwithothereventsThiscanhelpdifferentiatetesting,DevOPs,orgeneraluseractivityfrom adversarybehaviorbyidentifyinganomalousorsuspicioususeractions,suchasloggingintomultiple
DownloadthelatestCrowdStrikeCCFH-202examdumpstoensureyoursuccess
systems,runningunusualcommands,oraccessingsensitivefiles.
Reference:https://wwwcrowdstrikecom/blog/tech-center/user-search-in-crowdstrike-falcon/
4AnanalysthassortedallrecentdetectionsintheFalconplatformtoidentifytheoldestinaneffortto determinethepossiblefirstvictimhostWhatisthistypeofanalysiscalled?
AVisualizationofhosts
BStatisticalanalysis
CTemporalanalysis
DMachineLearning
Answer:C
Explanation:
Temporalanalysisisatypeofanalysisthatfocusesonthetimingandsequenceofeventsinorderto identifypatterns,trends,oranomaliesBysortingallrecentdetectionsintheFalconplatformtoidentify theoldest,ananalystcanperformtemporalanalysistodeterminethepossiblefirstvictimhostandtrace backtheoriginofanattack
Reference:https://www.crowdstrike.com/blog/tech-center/temporal-analysis-in-crowdstrike-falcon/ 5.RefertoExhibit.
Falcondetectedtheabovefileattemptingtoexecute.
Atinitialglance;whatindicatorscanweusetoprovideaninitialanalysisofthefile?
A.VirusTotal,HybridAnalysis,andGooglepivotindicatorlightsenabled
BFilename,path,LocalandGlobalprevalencewithintheenvironment
CFilepath,harddiskvolumenumber,andIOCManagementaction
DLocalprevalence,IOCManagementaction,andEventSearch
Answer:B
Explanation:
Thefilename,path,LocalandGlobalprevalenceareindicatorsthatcanprovideaninitialanalysisofthe filewithoutrelyingonexternalsourcesortoolsThefilenamecanindicatethepurposeororiginofthefile, suchasifitisalegitimateapplicationoramaliciouspayloadThefilepathcanindicatewherethefilewas locatedorexecutedfrom,suchasifitwasinatemporaryorsystemdirectoryTheLocalandGlobal
DownloadthelatestCrowdStrikeCCFH-202examdumpstoensureyoursuccess
prevalencecanindicatehowcommonorrarethefileiswithintheenvironmentoracrossallFalcon customers,whichcanhelpassesstheriskorimpactofthefile
Reference:
https://wwwcrowdstrikecom/blog/tech-center/understanding-file-prevalence-in-crowdstrike-falcon/
6Abenefitofusingathreathuntingframeworkisthatit:
AAutomaticallygeneratesincidentreports
BEliminatesfalsepositives
CProvideshighfidelitythreatactorattribution
DProvidesactionable,repeatablestepstoconductthreathunting
Answer:D
Explanation:
Athreathuntingframeworkisamethodologythatguidesthreathuntersinplanning,executing,and improvingtheirthreathuntingactivities.Abenefitofusingathreathuntingframeworkisthatitprovides actionable,repeatablestepstoconductthreathuntinginaconsistentandefficientmannerAthreat huntingframeworkdoesnotautomaticallygenerateincidentreports,eliminatefalsepositives,orprovide highfidelitythreatactorattribution,asthesearedependentonotherfactorssuchasdatasources,tools, andanalysisskills.
Reference:https://wwwcrowdstrikecom/blog/tech-center/threat-hunting-framework/
7WhichofthefollowingisanexampleofaFalconthreathuntinglead?
AAroutinethreathuntqueryshowingprocessexecutionsofsingleletterfilename(eg,aexe)from temporarydirectories
BSecurityappliancelogsshowingpotentiallybadtraffictoanunknownexternalIPaddress CAhelpdeskticketforauserclickingonalinkinanemailcausingtheirmachinetobecome unresponsiveandhavehighCPUusage
DAnexternalreportdescribingaunique5characterfileextensionforransomwareencryptedfiles
Answer:A
Explanation:
AFalconthreathuntingleadisapieceofinformationthatcanbeusedtoinitiateorguideathreathunting activitywithintheFalconplatform.Aroutinethreathuntqueryshowingprocessexecutionsofsingleletter filename(eg,aexe)fromtemporarydirectoriesisanexampleofaFalconthreathuntinglead,asitcan indicatepotentialmaliciousactivitythatcanbefurtherinvestigatedusingFalcondataandfeatures. Securityappliancelogs,helpdesktickets,andexternalreportsarenotexamplesofFalconthreathunting leads,astheyarenotdirectlyrelatedtotheFalconplatformordata.
Reference:https://wwwcrowdstrikecom/blog/tech-center/threat-hunting-leads-in-crowdstrike-falcon/
8TheFalconDetectionspagewillattempttodecodeEncodedPowerShellCommandlineparameters whenwhichPowerShellCommandlineparameterispresent?
A-Command
B-Hidden
C-e
D-nop
Answer:A
Explanation:
TheFalconDetectionspagewillattempttodecodeEncodedPowerShellCommandlineparameterswhen the-Commandparameterispresent.The-CommandparameterallowsPowerShelltoexecuteaspecified scriptblockorstringIfthescriptblockorstringisencodedusingBase64orothermethods,theFalcon DetectionspagewilltrytodecodeitandshowtheoriginalcommandThe-Hidden,-e,and-nop parametersarenotrelatedtoencodingordecodingPowerShellcommands
Reference:
https://wwwcrowdstrikecom/blog/tech-center/decoding-powershell-commands-in-crowdstrike-falcon/
9Whichstructuredanalytictechniquecontrastsdifferenthypothesestodeterminewhichisthebest leading(prioritized)hypothesis?
A.Modelhuntingframework
BCompetitiveanalysis
C.Analysisofcompetinghypotheses
DKeyassumptionscheck
Answer:C
Explanation:
Analysisofcompetinghypothesesisastructuredanalytictechniquethatcontrastsdifferenthypothesesto determinewhichisthebestleading(prioritized)hypothesisItinvolveslistingallthepossiblehypotheses, identifyingtheevidenceandassumptionsforeachhypothesis,evaluatingtheconsistencyandreliabilityof theevidenceandassumptions,andratingthelikelihoodofeachhypothesisbasedontheevidenceand assumptions
Reference:https://wwwcrowdstrikecom/blog/tech-center/analysis-of-competing-hypotheses/
10WhichSPL(Splunk)fieldnamecanbeusedtoautomaticallyconvertUnixtimes(Epoch)toUTC readabletimewithintheFlaconEventSearch?
Autctime
Bconvtime
C.time
Dtime
Answer:C
Explanation:
timeistheSPL(Splunk)fieldnamethatcanbeusedtoautomaticallyconvertUnixtimes(Epoch)toUTC readabletimewithintheFalconEventSearchItisadefaultfieldthatshowsthetimestampofeachevent inahuman-readableformat.utctime,convtime,andtimearenotvalidSPLfieldnamesforconverting UnixtimestoUTCreadabletime
Reference:
https://wwwcrowdstrikecom/blog/tech-center/understanding-timestamps-in-crowdstrike-falcon/